Is it solely by exploiting that accessing a given memory address depends on its location? E.g. column hit? Or is it just the CPU cache pre-fetching? Or is it something else (or more)?
Also, how does the attacker find out the location of picked address? Is it by looking at the total time (say) argon2/balloon runs? E.g. some thing like time echo "pass" | argon2 ...? Or is it deeper on per memory selection/hop/jump within the single argon2 run?
Since operating systems have virtual memory, how would the adversary find out which address argon2/balloon are accessing?
